AI vendors based in India
AI vendors based in India. Subject to the Digital Personal Data Protection Act (DPDP Act, 2023), which is being phased in alongside the IT Act 2000 and sector-specific regulations.
India-based AI vendors are governed by the Digital Personal Data Protection Act, 2023 (DPDP Act), India's first comprehensive privacy law. The Act was notified in August 2023 but is being phased into operation by the Ministry of Electronics and Information Technology (MeitY); the Data Protection Board of India (DPBI) is the enforcement authority. The IT Act 2000 and its Sensitive Personal Data or Information Rules (SPDI Rules, 2011) remain operative for matters not yet covered by DPDP Act implementation rules. India is a major destination for AI engineering talent and increasingly hosts the operations of global AI vendors.
Buyer considerations
- DPDP Act implementation rules are still being finalized; the regulatory landscape is evolving rapidly.
- No EU adequacy decision; cross-border transfers from EU rely on SCCs or other mechanisms.
- Significant Personal Data Fiduciaries (SPDFs) face stricter requirements (DPO, DPIA, audits); thresholds set by MeitY.
- Data localization requirements have been narrowed compared to draft 2018 bill but remain relevant for sectoral regulators (RBI for financial data).
- India is not party to many bilateral cybercrime treaties; law enforcement access requests may be processed through different channels.